Squid 整合 Win2K AD 認證的 Proxy Server

    緣起:

    舊的 win proxy server 經常當機, 重建前考量系統穩定及未來病毒侵擾可能, 我們選擇了 Linux 解決方案, 當然低費用的絕對優勢, 企業主們肯定不會反對.

    說明:

    OS= Redhat Enterprise Linux AS 4(完全安裝)
    Kernel= 2.6.9-22.0.1.ELsmp
    Squid= squid-2.5.STABLE6-3 (rpm -qa | grep squid)
    Samba= Version 3.0.10-1.4E (smbd -V)
    相關的套件均使用內建的版本, 也不用重新編譯.

    安裝步驟:

    Step 1) 設定 Samba
    檢查 Samba 編譯時的參數

    #/usr/sbin/smbd -b
    --with Options:
    WITH_ADS
    WITH_AUTOMOUNT
    WITH_PAM
    WITH_QUOTAS
    WITH_SENDFILE
    WITH_SMBMOUNT
    WITH_SYSLOG
    WITH_UTMP
    WITH_WINBIND <<
    

    參數內需包含 winbind, 如果沒有, 請重新編譯安裝檔, 如果已包含, 請跳過此步驟.

    重新編譯 samba rpm:
    從官方網站下載相應版本的 source rpm = samba-3.0.10-1.4E.src.rpm
    ftp://ftp.redhat.com

    #rpm -i samba-3.0.10-1.4E.src.rpm
    #cd /usr/src/redhat/SPECS
    #vi samba.spec
    

    找到這幾行

    CFLAGS=-D_GNU_SOURCE %configure
    --with-acl-support
    --with-automount
    .....
    --with-swatdir=%{_datadir}/swat
    

    後方加上這兩項

    --with-winbind
    --with-winbind-auth-challenge
    

    開始編譯

    #rpmbuild -bb samba.spec
    

    如果一切順利且無錯誤訊息, 會產生相關的安裝檔於 /usr/src/redhat/RPMS/i386,
    因為要移除原來的 rpm 可能會有相依性的困擾, 由於我們使用相同的原始檔作重新編譯,
    當重複安裝時, 可以覆蓋(force)方式安裝.

    #service smb stop
    #cd /usr/src/redhat/RPMS/i386
    #rpm -ivh --force samba-3.0.10-1.4E.i386.rpm
    #rpm -ivh --force samba-client-3.0.10-1.4E.i386.rpm
    #rpm -ivh --force samba-common-3.0.10-1.4E.i386.rpm
    #rpm -ivh --force samba-debuginfo-3.0.10-1.4E.i386.rpm
    #rpm -ivh --force samba-swat-3.0.10-1.4E.i386.rpm
    

    修改 smb.conf 及 krb5.conf

    #vi /etc/samba/smb.conf
    [global]
    workgroup = NTDOMAIN
    realm = NTDOMAIN.COM
    security = ADS #AD網域模式
    password server = MyDC #你的Domain Controller
    encrypt passwords = yes
    wins server = MYWINS #你的WINS server
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/bash #選擇性
    template homedir = /home/%D/%U
    winbind use default domain = yes
    
    #vi /etc/krb5.conf
    
    [libdefaults]
    default_realm = NTDOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    
    [realms]
    GTTW.COM.TW = { ##要大寫喔
    kdc = MyDC
    default_domain = NTDOMAIN.COM
    admin_server = MyDC
    }
    
    [domain_realm]
    .gttw.com.tw = NTDOMAIN.COM
    gttw.com.tw = NTDOMAIN.COM
    

    將 Linux 加入 AD 網域

    #net ads join -U Administrator%mypass
    

    出現錯誤訊息"KDC has no support for encryption type"
    請重設 AD Administrator 的密碼,詳細資訊請參考
    http://gentoo-wiki.com/HOWTO_Adding_...ting_AD_Domain

    修改/var/lib/samba/winbindd_privileged的目錄權限為750, 群組squid, 讓squid可以讀取winbind的socket.

    設定與DC溝通時的使用者

    # wbinfo --set-auth-user=user%password (具有一般權限使用者即可)
    

    啟動(重啟) Samba & winbind

    #service smb restart
    #service winbind restart
    

    Step 2) 設定 Squid
    檢查 Squid 編譯時的參數支援

    #squid -v
    
    確認是否有這幾項
    --enable-auth=ntlm,basic
    --enable-basic-auth-helpers=winbind
    --enable-ntlm-auth-helpers=winbind
    --enable-external-acl-helpers="winbind_group,wbinfo_group"
    

    如果未包含, 請重新編譯原始檔, 如果有, 請跳過此步驟.

    重新編譯 Squid rpm:
    從官方網站下載相應版本的 source rpm = squid-2.5.STABLE6-3.src.rpm
    ftp://ftp.redhat.com

    #rpm -i squid-2.5.STABLE6-3.src.rpm
    #cd /usr/src/redhat/SPECS
    #vi squid.spec
    

    請在適當的地方加上編譯所需的參數.

    #rpmbuild -bb squid.spec
    

    安裝 RPM 時請參考上述 Samba 的說明.

    修改 squid.conf

    # NT challenge Authentication for IE
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 5
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 20 minutes
    
    # Plain Text Authentication for others
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    
    #設定Authorization program,授與使用者群組讀取權限(如果只需驗證是否為網域使用者則不需要)
    external_acl_type NT_global_group ttl=300 %LOGIN /usr/lib/squid/wbinfo_group.pl
    
    #設定Acess Control list, 配合external_acl_type, 若如果只需驗證是否為網域使用者而不限定群組則使用 acl UserGroup proxy_auth REQUIRED 即可
    acl UserGroup external NT_global_group "/etc/squid/usergroup"
    
    # 允許該群組者存取
    http_access allow UserGroup
    

    為了讓程式可以檢驗複數群組,並對應Samba3.0.2(wbinfo -r結果與前版不同)需動手修改/usr/lib/squid/wbinfo_group.pl

    #!/usr/bin/perl -w
    #
    # external_acl helper to Squid to verify NT Domain group
    # membership using wbinfo
    #
    # This program is put in the public domain by Jerry Murdock
    # <[email protected]>. It is distributed in the hope that it will
    # be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
    # of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    #
    # Author:
    # Jerry Murdock <[email protected]>
    #
    # Version history:
    # 2002-07-05 Jerry Murdock <[email protected]>
    # Initial release
    #
    # 2003-12-16 Jim Barber
    # Added mutiple Group check in Group file
    
    # external_acl uses shell style lines in it's protocol
    require 'shellwords.pl';
    
    # Disable output buffering
    $|=1;
    
    sub debug {
    # Uncomment this to enable debugging
    # print STDERR "@_n";
    }
    
    #
    # Check if a user belongs to a group
    #
    sub check {
    local($user, @group) = @_;
    local($group);
    foreach $group (@group)
    {
    $groupSID = `wbinfo -n "$group"`; chop $groupSID; $groupGID = `wbinfo -Y "$groupSID"`; chop $groupGID; &debug( "User: -$user-nGroup: -$group-nSID: -$groupSID-nGID: -$groupGID-"); return 'OK' if(`wbinfo -r Q$userE` =~ /^$groupGID$/m); } return 'ERR'; } # # Main loop # while (<STDIN>) { chop; &debug ("Got $_ from squid"); ($user, @group) = &shellwords; $ans = &check($user, @group); &debug ("Sending $ans to squid"); print "$ansn"; }

    **紅字為修改的部份

    建立/etc/squid/usergroup檔, 並加入允許存取squid之AD群組, 內容如

    Domain Admins
    Internet User
    

    設定完成, 啟動 Squid ,可以進行測試了.

    #service squid start
    

    FAQ:

    1. 為方便除錯進行, 我們建議先不考慮與 AD 認證之設定下, 確定 Squid 可正常工作, 我們也確實因此發現 SELinux service 的影響.

    2. squid 重啟失敗, squid -v 無輸出等狀況, 請關閉 SELinux 的 Squid 項, Desktop-->Applications->security level-->SELinux--SELinux Service Protection-->Disable SELinux Protection for squid daemon

    3. 如何檢查 Linux 與 AD 的連線及帳號存取???
    成功 Join win2K AD 後可使用這些指令驗證.
    wbinfo -g //顯示AD 的所有群組
    wbinfo -u //顯示AD 的所有帳號
    wbinfo -a myid%mypass //帳號登入驗證
    wbinfo -t //與 AD 連線測試
    wbinfo -n "somegroup" //Convert group name to sid

    4. 可顯示 AD 的帳號及群組, 但使用 wbinfo -n 轉換 sid 時出現"Could not lookup name"???
    經筆者找遍網路文章, 都無法解決, 最後下載官方最新版 3.0.21 ,以編譯方式安裝才獲得解決.
    請注意,此版雖然可正常轉換 sid, 但輸入格式與舊版不同, 當整合 wbinfo_group.pl 時, 需作程式碼修正.

    請修改 /usr/lib/squid/wbinfo_group.pl
    找到這幾行

    sub check {
    local($user, $group) = @_;
    $groupSID = `wbinfo -n "$group"`;
    chop $groupSID;
    $groupGID = `wbinfo -Y "$groupSID"`;
    chop $groupGID;
    

    改成這樣

    sub check {
    local($user, $group) = @_;
    $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
    chop $groupSID;
    $groupGID = `wbinfo -Y "$groupSID"`;
    chop $groupGID;
    

    5. 用戶端數量在超過 15 個時, 會發生連線不順暢, 經常需要重新整理網頁才可顯示正常, 且下載檔案時會不時中斷.
    A:請檢查 cache.log 是否有警告訊息
    ===========================
    WARNING: All ntlmauthenticator processes are busy.
    2006/04/14 09:17:01|
    WARNING: up to 14 pending requests queued
    2006/04/14 09:17:01|
    Consider increasing the number of ntlmauthenticator processes to at least 19 in your config file.
    ===========================
    請加大這個參數的值-->20

    auth_param ntlm children 20
    auth_param basic children 20

    6. How to avoid JVM authentication dialog box.
    A:Add the following

    acl java_jvm browser Java
    

    Then,before your http_access for the authenticated users, use:

    http_access allow java_jvm
    標籤 (Edit tags)
    • No tags
    您必須 登入 才能發佈評論。
    Powered by MindTouch Core